25 December 2011

A recent news story noted that a U.S. government agency had
asked some researchers to
withhold
crucial details
about an experiment that showed that the avian flu strain A(H5N1) could
be changed to permit direct ferret-to-ferret spread.
While the problem the govenment is trying to solve is obvious, it's far from
clear that suppression is the right answer, especially in this
particular case.

There are a few obvious parallels to other situations. Most notably,
in 1940 American physicists decided to stop publishing
papers on nuclear fission. That fact itself — the absence
of published research —
convinced at least
one Soviet scientist, G.N. Flyorov,
that the Americans and British were working a bomb. Arguably,
this was the crucial factor in the Soviet decision to proceed
with their project; certainly Flyorov mentioned this aspect in his
letter to Stalin, and Stalin took that point very seriously.
(I apologize for pointing to a paper behind a paywall; it's the
most authoritative reference I know of. You can find other
discussion
here
and on
Flyorov's Wikipedia
page.)
In this case, while secrecy may have concealed important details, it
gave away "the high-order bit": the area looked promising enough
to investigate, despite the exigencies of wartime.

That moratorium was voluntary. In the 1960s and 1970s, though, the
NSA tried to suppress outside knowledge of
cryptography
and NSA's own work;
more to the point, they also tried to suppress
civilian academic research
on cryptography.
There were obvious constitutional problems with that, but the
Public Cryptography Study Group (formed by the
American Council on Education in response to the NSA's call for a dialog)
recommended a voluntary system:
researchers could submit their papers to NSA; it in turn could request
(but not demand) that certain things not be published.

As a vehicle for stopping or even slowing research, this notion was
a failure. Possibly, the NSA's intelligence-gathering efforts have been
hurt by widespread knowledge of cryptography; certainly, there's far
more information out there today than there was a generation ago.
In a very strong sense, though, they've won by losing: their real
mission of protecting the country has been helped by the flourishing
of cryptography for civilian use. To give just
one example, cell phone cloning in the 1990s was
largely
done for drug dealers
who wanted to be able to make and receive calls anonymously.
Today, though, cryptographic authentication is used, eliminating an entire
class of attacks.

It's also worth pointing to the tremendous achievements by academic
cryptographers who have shown how to
do more with modern cryptography than exchange keys and
encrypt and sign messages. What James Ellis, the GCHQ researcher
who invented
non-secret encryption —
what today is called public key cryptography — once said to
Whit Diffie is quite accurate: "You did more with it than we did".
But the NSA tried to suppress the entire field.

A third example is more recent still: the full disclosure of the details
of security holes in software. It is still debated if it's a
net benefit or not: do we benefit if the bad guys also learn of
the attacks?. On the other hand, it's indisputable that many holes
are closed (or closed promptly) solely because of disclosure or the
threat thereof. Too many companies respond to reports of attacks by
denying them, questioning the competence or integrity of the
discoverer, or even using legal means to try to suppress the report.
Far too often, it seems, bugs are fixed only because of this public
disclosure; without that, they'd remain unfixed, leaving systems
vulnerable to anyone who rediscovered the attack.

The conclusion, then, is that suppression has greater costs than
it might seem. But what about this case? As before, as is
shown in an interview with one of the scientists involved,
Ron A. M. Fouchier,
there
are costs and benefits.
For one thing, what these guys did can't
easily be replicated in a garage lab by amateurs:
"You need a very sophisticated specialist team and sophisticated facilities
to do this."
Terrorists have easier ways to launch bioattacks:

You could not do this work in your garage if you are a
terrorist organization. But what you can do is get viruses
out of the wild and grow them in your garage. There are
terrorist opportunities that are much, much
easier than to genetically modify H5N1 bird flu virus that are
probably much more effective.

And finally, there's the cost of suppression. It is clear from
the interview that public health officials need to know the details,
so they know which flu mutations to watch for. Too many people need
to know for secrecy to be effective:

We would be perfectly happy if this could be executed, but
we have some doubts. We have made a list of experts that
we could share this with, and that list adds up to well
over 100 organizations around the globe, and probably 1,000
experts. As soon as you share information with more than
10 people, the information will be on the street. And so
we have serious doubts whether this advice can be followed,
strictly speaking.

(I have personal experience with this. Some 20 years ago, I invented
DNS cache contamination attacks. After talking with various people,
I decided not to publish; choosing instead to share
the paper
with
trusted colleagues and with
CERT. These colleagues, in Washington
and elsewhere, undoubtedly shared it further still. Perhaps someone
shared it imprudently, perhaps it was stolen by hacking, or perhaps
the bad guys rediscovered the attack, but eventually the attack showed up in
the wild — at which point I published. I concluded that the real
effect of the delay was to hinder the development of countermeasures. In
other words, I was wrong to have held back the paper.)

The ultimate decision may rest on personal attitudes. To quote
Fouchier one more time, "The only people who want to hold back are the
biosecurity experts. They show zero tolerance to risk. The public health
specialists do not have this zero tolerance. I have not spoken to a single
public health specialist who was against publication."